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DETAILED ACTION 

1 . Applicant's arguments filed May 12, 2008, have been fully considered but they 
are not persuasive. 

2. Claims 1-16 are pending and have been examined. Claims 17-20 have been 
canceled. 

Response to Amendment 

3. Regarding claims 17-20, the rejection is withdrawn since the claims have been 
canceled. 

4. Regarding the added limitation, a further consideration of the cited art revealed 
that Schneier does in fact teach the feature, see below. 

Claim Rejections - 35 USC §102 

5. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 

6. Claims 1-17 are rejected under 35 U.S.C. 102(a) as being anticipated by 
Schneier et al. (US Patent Application Publication 2002/0087882, hereinafter 
Schneier). 

Regarding claim 1, Schneier teaches 

an integrated intrusion detection method comprising (par. 37): 

gathering information from a plurality of different types of intrusion 
detection sensors (pars. 35-36, monitors and collects information 
from sensors); 
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processing said information, wherein said processing provides a 
consolidated correlation of said information (pars. 64-65, analysis); 
assigning a severity to said information based on an enterprise wide 
security policy (par. 88-94, incidents have severity levels and 
responses correspond to severity levels): 

assigning a response corresponding to said information (pars. 87-88, 
determine response) and corresponding to said severity (par. 88-94, 
incidents have severity levels and responses correspond to 
severity levels); and 

implementing said response (pars. 87-88, initiates response) according 
to said severity (par. 88-94, incidents have severity levels and 
responses correspond to severity levels). 
Regarding claim 8, Schneier teaches 

a computer usable storage medium having computer readable program code 
embodied therein for causing a computer system to implement intrusion detection 
instructions comprising (par. 37): 

a data collection module for receiving information from a plurality of 
different types of intrusion detection sensors, wherein said information 
indicates potential security issues (pars. 35-36, monitors and collects 
information from sensors); 

an information severity determination module for assigning a severity to 
said information based on an enterprise wide security policy (par. 88-94, 
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incidents have severity levels and responses correspond to 
severity levels)! 

an integration module for integrating said information in a network 
application management platform (pars. 64-65, analysis); 
a reaction determination module for determining appropriate response to 
indication of said potential security issues (pars. 87-88, determine 
response) according to said severity (par. 88-94, incidents have 
severity levels and responses correspond to severity levels); and 
a reaction direction module for directing said response (pars. 87-88, 
initiates response) according to said severity (par. 88-94, incidents 
have severity levels and responses correspond to severity levels). 
Regarding claims 2 and 9, Schneier teaches wherein said information includes 

intrusion detection alerts (pars. 62-64, alerts). 

Regarding claim 3, Schneier teaches centrally tracking information associated 

with intrusion detection alerts from said plurality of different types of intrusion detection 

sensors (pars. 35-36, monitors and collects information from sensors, pars. 63- 

64). 

Regarding claim 4, Schneier teaches wherein said tracking information 
associated with intrusion detection includes assigning severity assignments 
standardized across said plurality of different types of intrusion detection sensors (pars. 
21 and 42, prioritize, par. 105, modify priority of problem). 
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Regarding claim 5, Schneier teaches wherein said intrusion detection alerts are 
correlated based upon various alert attributes (pars. 88-94, alerts and links to 
possible responses). 

Regarding claim 6, Schneier teaches wherein said response conforms to an 
enterprise wide strategy (par. 60, rules). 

Regarding claim 7, Schneier teaches managing said intrusion detection sensors 
(par. 37, adaptive sensors, receive updates dynamically). 

Regarding claim 10, Schneier teaches wherein said integration module selects 
appropriate hooks in an intrusion detection system (pars. 41-42, connecting through 
pipes). 

Regarding claim 11, Schneier teaches wherein said data collection module logs 
alerts from said plurality of different types of intrusion detection sensors (pars. 35-36, 
monitors and collects information from sensors, pars. 63-64). 

Regarding claim 12, Schneier teaches wherein said alerts are provided by a 
simple network management protocol (SNMP), a system log and an application 
program interface (par. 36, SNMP sensors, syslogs, SNMP traps). 

Regarding claim 13, Schneier teaches wherein said integration module includes 
analyzing a plurality of manners in which an alert can be provided and selecting the 
manner that is the most secure with the least dependencies in a communication path 
(pars. 63, selecting alert method). 
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Regarding claim 14, Schneier teaches wherein said integration module utilizes 
a network application management platform to log information (pars. 58-60, 
SOCRATES). 

Regarding claim 15, Schneier teaches wherein: an open view operation simple 
network management protocol trap is utilized to handle simple network management 
protocol trap based alerts; an open view operation log file encapsulator handles system 
log based alerts; and an open view message interceptor handles application program 
interface propagated alerts with the help of an operation message mechanism (par. 36, 
SNMP sensors, syslogs, SNMP traps). 

Regarding claim 16, Schneier teaches wherein a secure open view template 
configuration is utilized to log information and the one message group is configured for 
handling intrusion detection system alerts and another message group is configured for 
handling intrusion detection system errors (pars. 106-108, diverse groups and 
individuals are configured to receive alerts). 

Conclusion 

7. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. Hackenberger et al. (US Patent Application Publication 
2002/0184532) teaches multiple security modules providing alerts, Fischman et al (US 
Patent Application Publication 2003/0097588) teaches correlating security information 
from diverse sources for intrusion detection, Bruton, III et al. (US Patent Application 
Publication 2003/0145225) teaches a centralized intrusion detection system, Scheidell 
(US Patent Application Publication 2004/0098623) teaches an IDS gathering 
information from a plurality of different types of intrusion detection sensors; processing 
said information, wherein said processing provides a consolidated correlation of said 
information; assigning a response corresponding to said information; and implementing 
said response. 

8. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
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§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

9. A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

1 0. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to DAVID CERVETTI whose telephone number is 

(571 )272-5861 . The examiner can normally be reached on Monday-Tuesday and 
Thursday-Friday. 

11. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on (571)272-4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

12. Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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Examiner, Art Unit 2136 
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